Sophisticated vishing campaign targets Microsoft 365 passkey enrollment across six industries

They know what your data is worth, and they expect to get their value out of it.
A threat actor's statement about their financially motivated campaign targeting Microsoft 365 users.

Since April 2026, a coordinated group of financially motivated attackers has been calling employees across multiple industries, exploiting the very security upgrade Microsoft designed to protect them. By impersonating legitimate passkey enrollment processes and timing their calls to coincide with Microsoft's own reminders, the attackers have turned a moment of institutional trust into a doorway for persistent, silent access. The scheme is a reminder that the most sophisticated deception rarely announces itself — it arrives wearing the face of something familiar.

  • Attackers are calling workers directly by phone, bypassing email defenses entirely and exploiting the human instinct to comply with what sounds like an official IT request.
  • The campaign's timing is surgical — Microsoft's own May 2026 passkey enrollment push primed victims to expect exactly this kind of outreach, making skepticism feel unreasonable.
  • Phishing domains like exampleentity.setpasskey.com are built to mirror legitimate Microsoft interfaces with company-specific precision, collapsing the visual distance between real and fake.
  • The true danger arrives after the call ends: attackers simultaneously register their own passkey in the compromised account, creating a persistent backdoor that survives password resets.
  • A darknet post by a threat actor using the handle 'Pink' removes any ambiguity — this is a profit-driven operation targeting industries with valuable data and historically weaker security postures.

Since at least April 2026, a coordinated attacker group has been calling employees across food and beverage, technology, healthcare, automotive, construction, and aviation companies with an urgent message: enroll your new Microsoft 365 passkey now. The calls are convincing. The domains they point victims toward are specific to the target organization. The enrollment screens are visually indistinguishable from Microsoft's own.

Identity management firm Okta documented the operation in detail, identifying five domains — setpasskey.com, deploypasskey.com, passkeyadd.com, and others — registered between April and June 2026. Attackers build company-specific subdomains for each target, a level of personalization that makes the deception feel credible rather than generic.

What sharpened the campaign's effectiveness was its timing. When Microsoft began issuing legitimate passkey enrollment reminders in May, the attackers folded that context into their pitch. Victims already expecting such a request were far less likely to question it. As they entered credentials into the phishing interface, the attacker was simultaneously registering a passkey of their own — securing a backdoor that persists long after the call ends.

The infrastructure points to a sustained, deliberate operation rather than opportunistic testing, with hosting providers and registrars chosen for resilience. And on a darknet leak site, a figure using the handle 'Pink' described the group's motivation without pretense: they are financially driven, they understand the value of the data they're after, and they intend to collect it. No ideology, no grievance — only profit.

The deeper vulnerability exposed here is architectural. Because the attack begins over the phone, before any link is clicked, conventional email-based defenses offer no protection. By the time a victim reaches the phishing site, the attacker is already inside the conversation — and soon after, inside the account.

Since at least April, a coordinated group of attackers has been calling workers across six industries with a simple pitch: you need to enroll a new passkey in your Microsoft 365 account. The calls sound urgent. The domains they direct victims to look legitimate. The enrollment screens match what Microsoft actually shows. By the time the victim realizes something is wrong, the attacker has already registered their own passkey in the account—giving them a permanent backdoor.

Okta, the identity management firm, documented the campaign in detail. The attackers register domains built around the word "passkey"—setpasskey.com, deploypasskey.com, passkeyadd.com, and others—then create subdomains tailored to their targets. If they're going after a company called ExampleEntity, the phishing site becomes exampleentity.setpasskey.com. The specificity matters. It makes the whole thing feel real.

What makes the scheme particularly effective is its timing. In May, Microsoft began reminding users to enroll passkeys as part of a legitimate security upgrade. The attackers seized on this. They told their targets that Microsoft was requiring the enrollment, that it was urgent, that they needed to act now. The victims, already primed by Microsoft's own notifications, believed it. They clicked the links. They entered their credentials into what looked exactly like Microsoft's interface. And while they were doing that, the attacker was simultaneously registering a passkey of their own in the same account.

The attackers have been methodical about their infrastructure. Okta identified five separate domains registered between April and June 2026, all using hosting providers like DDoS-Guard and registrars like Tucows and Internet Domain Service BS Corp. The domains were created weeks apart, suggesting a sustained operation rather than a one-off test. The sectors being targeted span food and beverage, technology, healthcare, automotive, construction, and aviation—industries with valuable data and, often, less mature security practices.

The threat actors themselves have been transparent about their motives. On a darknet leak site, a person using the handle "Pink" laid out the group's philosophy with blunt clarity. They described themselves as financially motivated, noting that security is expensive, especially when it's been neglected. They said they know what the data is worth and expect to extract that value. There is no ideology here, no activism, no claim of exposing wrongdoing. Just profit.

The danger is not just the immediate credential theft. Once an attacker registers a passkey in a victim's account, they have persistent access. They can come back whenever they want. They can move laterally through the organization. They can exfiltrate data, hold it for ransom, or sell it. The passkey enrollment process, designed to make accounts more secure, has become the vector for compromise. And because the attack happens over the phone, before the victim even reaches a phishing site, traditional email-based defenses are useless. The attacker is already inside the conversation.

Threat actors have used this well-intentioned security upgrade as a pretext for abusing the enrollment process to further their objectives.
— Okta
We are a financially motivated group. Our only goal is profit, and that is our only motivation. We know what your data is worth, and we expect to get our value out of it.
— Pink, threat actor
The Hearth Conversation Another angle on the story
Inventor

Why would someone fall for this? Microsoft's own security team is telling people to enroll passkeys. Wouldn't that make people skeptical of a random call?

Model

That's exactly the point. The attacker is using Microsoft's own messaging as cover. When you get a call saying "Microsoft wants you to enroll a passkey," and you've just seen that notification in your account, it feels like confirmation, not a scam.

Inventor

But the attacker has to register their own passkey while the victim is going through the process. How does that work technically?

Model

The phishing kit mimics the real enrollment interface. While the victim is entering their credentials and going through the steps, the attacker is using those credentials in real time to register a second passkey in the actual Microsoft account. By the time the victim closes the browser, the attacker already has a backdoor.

Inventor

So the victim might not even know they've been compromised?

Model

Right. They might think they successfully enrolled a passkey and move on. The attacker's passkey sits there silently, waiting to be used. The victim has no reason to check their passkey list.

Inventor

Why target these specific industries? Food and beverage, aviation, healthcare—what do they have in common?

Model

Valuable data and often weaker security than tech companies. Healthcare has patient records. Aviation has operational details. Food and beverage has supply chain information. These aren't random targets. They're chosen because the attackers know what the data is worth.

Inventor

The attackers say they're just after profit. Does that make them less dangerous than ideological hackers?

Model

In some ways, more dangerous. Ideological hackers might leak data to make a point. Financially motivated ones will sell it, hold it for ransom, or use it for fraud. They're not trying to prove anything. They're just trying to extract maximum value.

Contact Us FAQ